Blog

Your first hour with MySQL on AIX

Most modern Linux distros come with MySQL preinstalled, or it can easily be added later using a tool such as YUM. Unfortunately AIX still has no such tool, and you have to maunally download the individual RPMs and pre-reqs.

Here is an example of how to download the packages, install and configure them:

Blog

Maintaining an AIX firewall

IBM quietly added a firewall capability (known as ipfilters) to AIX 6.1, however they did not do a particularly good job of either publicising or documenting it. You can either configure ipfilt from the command-line or via smit. The ipfilt toolset is part of the LPP: bos.net.ipsec.rte.

1. If you already have an .exp file make a copy of your firewall rules file (e.g. ipsec_fltr_rule.exp) and copy to a temporary directory, or export it as follows:

# expfilt -v4 -f /tmp/ipfilt.expDirectory /tmp/ipfilt.exp created.
Filter rule 2 for IPv4 has been exported successfully.
Filter rule 3 for IPv4 has been exported successfully.
Filter rule 4 for IPv4 has been exported successfully.
Filter rule 5 for IPv4 has been exported successfully.
…..Filter rule 56 for IPv4 has been exported successfully.
Filter rule(s) have been exported to /tmp/ipfilt.exp/ipsec_fltr_rule.exp successfully.

Blog

DNS lookup configuration

AIX offers a confusing array of options when configuring your system to be a simple DNS client. The traditional way is to create an “/etc/resolv.conf” file and add the address of up to three DNS servers e.g.

The problem is that this configuration will only ever contact the first nameserver in the list, and only move to the next if the resolution fails, and following a timeout. This can be seen when you login to a server and it takes a long time before the password prompt appears (there could be other reasons for this).

These additional cause the server to contact the servers on a round-robin basis and to move to the next server following two failed attempts, with a two second timeout.

options debug

Those that are interested in analysing their traffic can add the debug option, however this will generate a lot of information and affect performance.

The next file to tune is “/etc/netsvc.conf”:

hosts=local4,bind

In it’s simplest form this statement tells AIX to resolve only IPv4 addresses and to check the “/etc/hosts” file before consulting DNS. This “local,bind” would check both IPv4 and IPv6, and reversing the order, or removing the “local” entry would give DNS absolute precedence.

It doesn’t finish there as there is also a dedicated network caching daemon (netcd) which is started from the SRC (lssrc -s netcd).The daemon is controlled by the “/etc/netcd.conf” and it creates a log file: “/var/tmp/netcd.log”.

There is an example configuration file in “/usr/samples/tcpip/netcd.conf”.

Blog

Merging LDAP and local groups

Until recently it was impossible to have a user that was a member of both local and LDAP groups and this makes centrally managing applications such as Oracle, particularly problematic.

This problem can now be overcome by setting the “domainlessgroups” attribute to true in “/etc/security/login.cfg”. The AIX documentation describes it as follows:

“domainlessgroups Defines the system configuration for merging the user’s group attributes among LDAP and files Modules. Only files and LDAP modules are supported. Valid values are “true” or “false”. “true” : When this attribute is set as true, the group attribute is merged from the LDAP and files modules i.e. LDAP users can be assigned local groups and vice versa. “false” : When this attribute is set as false, the group attribute is not merged from the LDAP and files modules.

Tells the Internet Protocol that strictly source-routed packets may be addressed to hosts outside the local network. Disabling this prevents access through source routing attacks.

tcp_icmpsecure

/usr/sbin/no -o tcp_icmpsecure=1

Protects TCP connections against ICMP (Internet Control Message Protocol) source quench and PMTUD (Path MTU Discovery) attacks. Checks the payload of the ICMP message to test the sequence number of the TCP header is within the range of acceptable sequence numbers. Values: 0=off (default); 1=on.

ip_nfrag

/usr/sbin/no -o ip_nfrag=200

Specifies the maximum number of fragments of an IP packet that can be kept on the IP reassembly queue at a time (default value of 200 keeps up to 200 fragments of an IP packet in the IP reassembly queue).

rfc1122addrchk

/usr/sbin/no -o rfc1122addrchk=0

Perform RFC1122 address validation; default is to allow. This should be disabled to block incoming & outgoing SYN packets aimed at loopback and multicast addresses.

Default maximum segment size used in communicating with remote networks. Values: Default: 512, Range: 512 to (MTU of local net – 64) Change takes effect immediately. Change is effective until next boot. Permanent change is made by adding no command to /etc/rc.net.

Diagnosis: N/A Tuning: Increase, if practical.

tcp_conn_request_max

20-500

Number of TCP concurrent connections

tcp_recvspace

/usr/sbin/no -o tcp_recvspace=

Provide the default value of the size of the TCP socket receive buffer.
Default: 16384, Range: 0 to 64KB if rfc1323=0,Range: 0 to 4GB if rfc1323=1.
Must be less than or equal to sb_max.Should be equal to tcp_sendspace and uniform on all frequently accessed AIX systems.

sb_max

/usr/sbin/no -o sb_max=

Default: 16384, Range: 0 to 64KB if rfc1323=0,Range: 0 to 4GB if rfc1323=1.
Must be less than or equal to sb_max.
Should be equal to tcp_recvspace and uniform on all frequently accessed AIX systems.

tcp_syn_rcvd_max

500

SYN_Flooding can be used in denial of service attacks

tcp_sendspace

/usr/sbin/no -o tcp_sendspace=

tcp_tcpsecure

/usr/sbin/no -o tcp_tcpsecure=7

Protects TCP connections against vulnerabilities. Values: 0=no protection; 1=sending a fake SYN to an established connection; 2=sending a fake RST to an established connection; 3=injecting data in an established TCP connection; 5-7=combination of the above vulnerabilities.

Blog

Google announces intention to begin deprocating SHA1

Google has announced a provisional plan and timetable to begin reducing support for X.509 certificates that have been signed using SHA1. The industry is now beginning to replace the SHA1 algorithm in favour of SHA2 or perhaps SHA256 because as computers become more powerful, it is becoming more likely that criminals will be able to brute-force exisinting hashes or to produce fake messages that will have the same hash as a legitimate message.

A hash is a string of characters produced when a one-way encryption algorthim processes a message. This process enables a browser or program API to ensure that a message has not been tampered with.
It is meant to be impossible to find two messages that produce the same hash however in reality there are always are, and when this happens it is referred to as a “hash-collision”.

An attacker can only find a collision by taking the hash of an existing message then hashing millions of other messages until one produces the same string. The problem for legitimate users is that once rainbow-tables containing multiple hashes start to appear, an attacker then only needs a relatively low powered computer to do a search of the tables.

What does this mean to you?

In simple terms you need to make an inventory of all your existing certificates and then determine when they are due for renewal, and how they were signed. You can then either gradually replace them now with certificates signed with SHA2 or buy new certificates when they expire. Great care and a lot of testing is required because some older browsers will not be able to process the new certificates and the users of your website will start to messages like this:

If you are using certificates on your AIX system you can use SystemScan AIX to help you to find and document them.

Blog

What does that port do?

Have you ever run lsof or netstat and wondered why a port was open, or what it does? This site is a useful way of checking: https://www.adminsub.net/tcp-udp-port-finder
It also contains a list of the most common attacks kown to be aimed at that port.

You can also look at the entries in “/etc/services”, however they are not guaranteed to be accurate as several ports are used for multiple activities and an attacker can also hide behind a well known port that is not currently in use for other things.

Recent blogs

IBM quietly added a firewall capability (known as ipfilters) to AIX 6.1, however they did not do a particularly good... Read more

References

Vesting Finance

Vesting Finance runs 6 systems which need to be in sync and up to date. SystemScan AIX helps our support team to regularly scan and check our systems for consistency and to reduce maintenance time and cost.

Prevention is better than cure.

- Wesley Goedegebuure, teamleader ICT

Yamaha Motor Europe

SystemScan AIX helped us to quickly and easily scan our system configuration. Understanding our environment allowed us to manage it better to identify problems and potential knowledge gaps.

Yamaha Motor Europe has a complex mission critical clustered system which makes it vital for us to maximise efficiency and minimise downtime.

- Kees Trommel, IT manager

About SystemScan AIX

Consists of a single RPM that can be installed on AIX 5.3, 6.1, or 7.1. It also has separate modules for HMC/IVM, and VIOS, that can be run from cron and silently produce system configuration reports that can then be transferred to another server for analysis.